Re: SMS Banking

[Christian Sciberras <uuf6429 () gmail com>]

Since people seem to aim at a "go" or "no-go" answer, thought I should
voice my opinion[s].
Mathematics is a very precise subject, even when accuracy is actually
lost, there are ways to store this loss (eg, a formula to store a
non-finite number).
That said, maths make up most things, but it's weakness lies in
variables and the way precision is percieved.
In short, what today estimates to 0.2 may in the future estimate to a
stagering 0.6, and depending on the use, many entities and
consequences may be involved, be it human life or a a secretary's PC.
Mathematics may be good at prediction and producing an image, but they
are practically useless. Saying that a piece of software is boung to
get "hacked" doesn't help it getting "fixed".
Besides, we all know that there is no such thing as invulnerable
(perfect) software.
So, issuing risk numbers beyond failure rates on average simply
enforces the above affirmation, without no side-effects whatsoever.

My 2 mills

Cheers.

On Thu, Feb 11, 2010 at 11:45 AM, McGhee, Eddie <Eddie.McGhee () ncr com> wrote:
> Going by his resume he has some basic networking/it skills, no decent Cisco certs, cant code.. He may be able to do 
> maths but everyone knows you cannot predict how a vuln is going to appear with some number crunching.. And with his 
> skill set.. Secured over 1600 networks, no wonder financial institutes get pwned so much these days if people like 
> this goon is working for them
>
> I wouldn't waste any more time on this nub Thor, you have more than proved he is a douche.
>
>
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
> Thor (Hammer of God)
> Sent: 11 February 2010 02:34
> To: Valdis.Kletnieks () vt edu; 'full-disclosure'
> Cc: craig.wright () Information-Defense com
> Subject: Re: [Full-disclosure] SMS Banking
>
> Actually Valdis, it seems like all of this may be for naught.  It has been brought to my attention that drafting a 
> contract with Dr. Wright wouldn't be in my best interest.  Apparently, he's known for not keeping to the "spirit" of 
> contracts when money is concerned.
>
> Now, if I were an ass, I might be tempted to publish the information found at 
> http://www.lawlink.nsw.gov.au/scjudgments/2004nswsc.nsf/00000000000000000000000000000000/1c0f375d3250297dca256ef300196460?OpenDocument
>
> but fortunately for the parties involved, I'm not.  Entering into a contract where willful misconduct and lying under 
> oath may ensue is not my idea of a smart business move.  I'm not saying Dr. Wright did any of those things, (even 
> though others have), I'm just saying that if one can't define what "product" means, then I doubt one can successfully 
> define what "probability of compromise" means either.  Good money is on letting this one die as it lies (no pun 
> intended).  So I must regretfully rescind my challenge, or not accept his, or whatever it was at this point.
>
> Now, if I were REALLY as ass, I would point out something like though Dr. Wright has a degree in law, between him and 
> his attorney, the best they could come up with when emails were found on his system and phone calls were on his cell 
> bill was the "it wasn't me" defense. But again, I won't point that out.  It would be just plain mean.
>
> If I REALLY REALLY were an ass, I would further point out the irony of a master of digital forensics not being able 
> to properly delete emails from his computer in the first place, or the rumor that AU has this thing call "krypshun," 
> but I won't mention that either.  That would be both crass and insensitive of me.
>
> 'twer I an ass cubed, I would take this opportunity to reference a Princess Bride joke in regard to the source of 
> iocane powder (that one's for you, Laura) but again, I'll suffer internally to protect the innocent.
>
> So I'll bow out.  Craig, you win buddy.  While I may never know what the Magic Number the Improbability Engine might 
> have produced (now that Douglas has passed on) at least I know that criteria one must meet in order to be a Security 
> Hero.
>
> Thanks for playing everyone.  Good luck, and good night!
>
> t
>
>
>
> > -----Original Message-----
> > From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
> > Sent: Wednesday, February 10, 2010 1:17 PM
> > To: craig.wright () Information-Defense com
> > Cc: Thor (Hammer of God); 'full-disclosure'; pen-
> > test () securityfocus com; security-basics () securityfocus com
> > Subject: Re: [Full-disclosure] SMS Banking
> >
> > On Thu, 11 Feb 2010 07:02:43 +1100, "Craig S. Wright" said:
> > > " Plain and simple.  Produce the contract, here, publically.  I'll
> > > produce my $100,000 that you match, in escrow.  If the system gets
> > > breached, any way I choose,
> >
> > What happens if the system gets breached, but in a way not of your
> > choosing?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/